build: add allowed entitlements

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>

build/build.go

@@ -24,6 +24,7 @@ import (
 	"github.com/moby/buildkit/client"
 	"github.com/moby/buildkit/session"
 	"github.com/moby/buildkit/session/upload/uploadprovider"
+	"github.com/moby/buildkit/util/entitlements"
 	"github.com/opencontainers/go-digest"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
@@ -55,6 +56,7 @@ type Options struct {
 	CacheFrom []client.CacheOptionsEntry
 	CacheTo   []client.CacheOptionsEntry
 
+	Allow []entitlements.Entitlement
 	// DockerTarget
 }
 
@@ -324,11 +326,12 @@ func toSolveOpt(d driver.Driver, multiDriver bool, opt Options, dl dockerLoadCal
 	}
 
 	so := client.SolveOpt{
-		Frontend:      "dockerfile.v0",
-		FrontendAttrs: map[string]string{},
-		LocalDirs:     map[string]string{},
-		CacheExports:  opt.CacheTo,
-		CacheImports:  opt.CacheFrom,
+		Frontend:            "dockerfile.v0",
+		FrontendAttrs:       map[string]string{},
+		LocalDirs:           map[string]string{},
+		CacheExports:        opt.CacheTo,
+		CacheImports:        opt.CacheFrom,
+		AllowedEntitlements: opt.Allow,
 	}
 
 	if multiDriver {
@@ -454,6 +457,7 @@ func toSolveOpt(d driver.Driver, multiDriver bool, opt Options, dl dockerLoadCal
 	switch opt.NetworkMode {
 	case "host", "none":
 		so.FrontendAttrs["force-network-mode"] = opt.NetworkMode
+		so.AllowedEntitlements = append(so.AllowedEntitlements, entitlements.EntitlementNetworkHost)
 	case "", "default":
 	default:
 		return nil, nil, errors.Errorf("network mode %q not supported by buildkit", opt.NetworkMode)

build/entitlements.go

@@ -0,0 +1,21 @@
+package build
+
+import (
+	"github.com/moby/buildkit/util/entitlements"
+	"github.com/pkg/errors"
+)
+
+func ParseEntitlements(in []string) ([]entitlements.Entitlement, error) {
+	out := make([]entitlements.Entitlement, 0, len(in))
+	for _, v := range in {
+		switch v {
+		case "security.insecure":
+			out = append(out, entitlements.EntitlementSecurityInsecure)
+		case "network.host":
+			out = append(out, entitlements.EntitlementNetworkHost)
+		default:
+			return nil, errors.Errorf("invalid entitlement: %v", v)
+		}
+	}
+	return out, nil
+}

commands/build.go

@@ -44,6 +44,8 @@ type buildOptions struct {
 	squash bool
 	quiet  bool
 
+	allow []string
+
 	// hidden
 	// untrusted   bool
 	// ulimits        *opts.UlimitOpt
@@ -167,6 +169,12 @@ func runBuild(dockerCli command.Cli, in buildOptions) error {
 	}
 	opts.CacheTo = cacheExports
 
+	allow, err := build.ParseEntitlements(in.allow)
+	if err != nil {
+		return err
+	}
+	opts.Allow = allow
+
 	return buildTargets(ctx, dockerCli, map[string]build.Options{"default": opts}, in.progress)
 }
 
@@ -214,6 +222,8 @@ func buildCmd(dockerCli command.Cli) *cobra.Command {
 
 	flags.StringVar(&options.target, "target", "", "Set the target build stage to build.")
 
+	flags.StringSliceVar(&options.allow, "allow", []string{}, "Allow extra privileged entitlement, e.g. network.host, security.insecure")
+
 	// not implemented
 	flags.BoolVarP(&options.quiet, "quiet", "q", false, "Suppress the build output and print image ID on success")
 	flags.StringVar(&options.networkMode, "network", "default", "Set the networking mode for the RUN instructions during build")

vendor/modules.txt

@@ -36,6 +36,8 @@ github.com/containerd/containerd/remotes
 github.com/containerd/containerd/remotes/docker
 github.com/containerd/containerd/log
 github.com/containerd/containerd/content/local
+github.com/containerd/containerd/containers
+github.com/containerd/containerd/oci
 github.com/containerd/containerd/labels
 github.com/containerd/containerd/reference
 github.com/containerd/containerd/version
@@ -44,12 +46,10 @@ github.com/containerd/containerd/sys
 github.com/containerd/containerd/api/services/content/v1
 github.com/containerd/containerd/content/proxy
 github.com/containerd/containerd/services/content/contentserver
-github.com/containerd/containerd/containers
-github.com/containerd/containerd/oci
-github.com/containerd/containerd
-github.com/containerd/containerd/namespaces
 github.com/containerd/containerd/mount
+github.com/containerd/containerd/namespaces
 github.com/containerd/containerd/snapshots
+github.com/containerd/containerd
 github.com/containerd/containerd/api/services/containers/v1
 github.com/containerd/containerd/api/services/diff/v1
 github.com/containerd/containerd/api/services/events/v1
@@ -83,12 +83,12 @@ github.com/containerd/containerd/events/exchange
 github.com/containerd/containerd/identifiers
 # github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc
 github.com/containerd/continuity
+github.com/containerd/continuity/fs
 github.com/containerd/continuity/pathdriver
 github.com/containerd/continuity/devices
 github.com/containerd/continuity/driver
 github.com/containerd/continuity/proto
 github.com/containerd/continuity/sysx
-github.com/containerd/continuity/fs
 github.com/containerd/continuity/syscallx
 # github.com/containerd/fifo v0.0.0-20190226154929-a9fb20d87448
 github.com/containerd/fifo
@@ -266,6 +266,7 @@ github.com/moby/buildkit/session
 github.com/moby/buildkit/session/secrets/secretsprovider
 github.com/moby/buildkit/session/sshforward/sshprovider
 github.com/moby/buildkit/session/upload/uploadprovider
+github.com/moby/buildkit/util/entitlements
 github.com/moby/buildkit/util/appcontext
 github.com/moby/buildkit/identity
 github.com/moby/buildkit/util/progress/progressui
@@ -285,7 +286,6 @@ github.com/moby/buildkit/session/grpchijack
 github.com/moby/buildkit/solver/pb
 github.com/moby/buildkit/util/apicaps
 github.com/moby/buildkit/util/appdefaults
-github.com/moby/buildkit/util/entitlements
 github.com/moby/buildkit/session/secrets
 github.com/moby/buildkit/session/sshforward
 github.com/moby/buildkit/session/upload